Stop Using the Base TCP Profile!
[Update 1 Mar 2017: F5 has new built-in profiles in TMOS v13.0. Although the default profile settings still haven't changed, there is good news on that from as well.]
If the customer data I've seen is any indication, the vast majority of our customers are using the base 'tcp' profile to configure their TCP optimization. This has poor performance consequences and I strongly encourage you to replace it immediately.
What's wrong with it?
The Buffers are too small. Both the receive and send buffers are limited to 64KB, and the proxy buffer won't exceed 48K . If the bandwidth/delay product of your connection exceeds the send or receive buffer, which it will in most of today's internet for all but the smallest files and shortest delays, your applications will be limited not by the available bandwidth but by an arbitrary memory limitation.
The Initial Congestion Window is too small. As the early thin-pipe, small-buffer days of the internet recede, the Internet Engineering Task Force (see IETF RFC 6928) increased the allowed size of a sender's initial burst. This allows more file transfers to complete in single round trip time and allows TCP to discover the true available bandwidth faster.
Delayed ACKs. The base profile enables Delayed ACK, which tries to reduce ACK traffic by waiting 200ms to see if more data comes in. This incurs a serious performance penalty on SSL, among other upper-layer protocols.
What should you do instead?
The best answer is to build a custom profile based on your specific environment and requirements. But we recognize that some of you will find that daunting! So we've created a variety of profiles customized for different environments. Frankly, we should do some work to improve these profiles, but even today there are much better choices than base 'tcp'.
If you have an HTTP profile attached to the virtual, we recommend you use tcp-mobile-optimized. This is true even if your clients aren't mobile. The name is misleading! As I said, the default profiles need work.
If you're just a bit more adventurous with your virtual with an HTTP profile, then mptcp-mobile-optimized will likely outperform the above. Besides enabling Multipath TCP (MPTCP) for clients that ask for it, it uses a more advanced congestion control ("Illinois") and rate pacing. We recognize, however, that if you're still using the base 'tcp' profile today then you're probably not comfortable with the newest, most innovative enhancements to TCP. So plain old tcp-mobile-optimized might be a more gentle step forward.
If your virtual doesn't have an HTTP profile, the best decision is to use a modified version of tcp-mobile-optimized or mptcp-mobile-optimized. Just derive a profile from whichever you prefer and disable the Nagle algorithm. That's it! If you are absolutely dead set against modifying a default profile, then wam-tcp-lan-optimized is the next best choice. It doesn't really matter if the attached network is actually a LAN or the open internet.
Why did we create a default profile with undesirable settings?
That answer is lost in the mists of time. But now it's hard to change: altering the profile from which all other profiles are derived will cause sudden changes in customer TCP behavior when they upgrade. Most would benefit, and many may not even notice, but we try to not to surprise people.
Nevertheless, if you want a quick, cheap, and easy boost to your application performance, simply switch your TCP profile from the base to one of our other defaults. You won't regret it.
Published Oct 14, 2015
Version 1.0
Lee_Payne_53457Cirrostratus
Very interesting, I always assumed that the TCP profile was optimized in some way to provide a trade off between speed and device performance, time to go look at all of our VS's now and try to change them over.- Hi Lee, The 'tcp' profile is pretty old, and I'm sure there were good reasons for the settings. But in the modern internet the settings are pretty archaic.
Andrew_HuskingCirrus
Is there any documentation around on which tcp profiles should be used in what circumstances? We're in a similar boat to Lee, and i'm looking to see what profiles are best for us to update to.- Hi Andrew, We have a project to improve the profiles, to make choices easier, as well as publish better guides for creating your own profiles. You can learn more about configuration options through both online help and by poking around previous articles about the TCP profile, both by me and others. If you're looking for a very quick summary I'd just follow the advice under "What should you do instead?" above.
- Andrew, I also should refer you to these two white papers about tuning your TCP profile: Optimize WAN and LAN Application Performance with TCP Express TCP Optimization for Service Providers
- Nobumichi_Atobe
Nimbostratus
Hi there. Do you think applying this recommendation will improve SSL-VPN by APM? Also would this improve the throughput of applications transmitting over the SSL-VPN tunnel? I have read this page and the white paper Martin shared here but not 100% sure if this is effective for APM. 
Carl_BrothersEmployee
Nobumichi, I think that this is very relevant for the SSL VPN use case as well. Remember that all of this rides over TCP in the end.- Walter_KacynskiI've noticed that the Hardware SYN Cookie protection option has been disabled in the default mptcp-mobile-optimized profile. Why is that?
- I've noticed that the Hardware SYN Cookie protection option has been disabled in the default mptcp-mobile-optimized profile. Why is that?
The mptcp-mobile-optimized protocol enables MPTCP, which is incompatible with hardware syn cookies. 
ge0ff73_32053I understand this profile will be applied to the Client Protocol Profile. Should we also apply this to the Server Protocol Profile for a LAN connected server pool?
